geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trygve Hardersen (JIRA)" <>
Subject [jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject settings unless authentication is set up
Date Wed, 22 Jul 2009 13:07:14 GMT


Trygve Hardersen commented on GERONIMO-4756:


I've been trying to upgrade our application to use Jetty7, but can't get the run-as security
to work. Since our application is rather complex and big, I've created a sample project that
illustrates the problem in a more controlled environment using the current Geronimo trunk
(rev 796620) without any modifications.

The sample project is called JGS (Jotta Geronimo Security) and has 3 components that are deployed
as Geronimo plugins:

realm-plugin - Holds the security realm and credential store
ejb-plugin - Holds the EJB service layer
web-plugin - Holds the WAR HTTP layer

The realm-plugin uses a custom login module TestLoginModule that checks that the supplied
username matches the supplied password. If the username is "admin", "anonymous" or "system",
the username will also be used as role name. If not, the role name will be set to "customer".
The realm-plugin also holds a credential store that gives the username and password for the
"anonymous" and "system" run-as users.

The ejb-plugin has two stateless sessions beans; TestServiceEJB and SecureServiceEJB. Both
EJBs are set to run-as "system". TestServiceEJB declares the roles "admin", "anonymous", "customer"
and "system", and references the SecureServiceEJB. TestServiceEJB has three "hello" methods:

sayHello(String) - Says hello to admin, anonymous, customer and system users.
sayHello() - Says hello customer users.
secureHello(String) - Says hello to admin, customer and system users using SecureSeviceEJB
to demonstrate run-as security.

The SecureServiceEJB declares the same roles as TestServiceEJB, but only has one method:

sayHello(String) - Says hello only to system components.

In other words SecureServiceEJB can only be used by callers in the "system" role, such as

All of this work as expected including run-as security, at least when I use remote EJB to
test the services directly. See RemoteEJBTest in the ejb-test module. The problem starts when
I try to use run-as security in the web-plugin. This is what I want:

/welcome - WelcomeServlet says hello to the user identified by a parameter called "name".
Set to run-as "anonymous".
/default - DefaultServlet does the same as WelcomeServlet, but does not declare run-as and
should use the default run-as identity with is also "anonymous".
/customer - Customer servlet is only accessible by "customer" users, and does not use run-as.
/system - SystemServlet should run-as system because it is a secure system component.

Of these 4 URLs I can only get /customer to work properly. When the URL is used the BASIC
authentication triggers and the user can log in as "test"/"test" or whatever they like. The
username is picked up all the way down to the EJB that greets the customer.

The 3 other URLs generally do not work. I've tried many configuration combinations, such as
using run-as annotations, defining security constraints for the "run-as" URLs, disabling the
default run-as subject and only using a single servlet, but I can't get things to run-as anything
consistently. Strangely I'm 99% sure I've seen the run-as security work a couple of times,
at least after doing normal authentication first. Could there be a concurrency issue somewhere?

I'm attaching the sample project. Thanks a lot for looking into this, and please let me know
if you have questions.

> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>                 Key: GERONIMO-4756
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>    Affects Versions: 2.2
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.2
>         Attachments: Geronimo-4766.patch, jgs.tar.gz
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied,
not only if authentication is specifically configured: this will make default subjects work
when no auth is configured.  Should not be a problem for tomcat.... for some reason I found
this problem there already :-)

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message